aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,977 Commits
7 Branches
161 Tags
169 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'def2b58725'
${ noResults }
Commit Graph

5514 Commits (def2b58725e6876abecceccecb096ba005eb34bc)

Author SHA1 Message Date
Victor Julien a083513c49 decode: optimize DecodeThreadVars layout 
Put common counters on the first cache line. Please the flow output
pointer last as it's use depends on the flow logging being enabled
and even then it's only called very rarely.
 10 years ago
Victor Julien fe5a85aea0 decode: add erspan counter 10 years ago
Victor Julien 928957f0a3 decode: add ERSPANv1 decoder 
Only allow v1 to be parsed as thats what is tested.

Take vlan_id from the ERSPAN layer.
 10 years ago
Victor Julien aa6b24f814 decode: clean up tunnel decode logic 
Don't use mix of existing and custom types to indicate the next
layer.
 10 years ago
Victor Julien ef7cd043cc detect: various header cleanups 10 years ago
Victor Julien 5483b800c5 detect: remove struct/union tricks from Signature 10 years ago
Victor Julien 8949054212 detect: remove unused match_flags from inspect engines 10 years ago
Victor Julien 9fa2f85cc7 http: improve body pruning 
Take inspect window into account.
 10 years ago
Victor Julien 0bbc818b2d http: fix body tracking 
In HTTP body tracking for response bodies, pruning body chunks was broken
as the body parsing code wouldn't update HtpBody::body_parsed.
 10 years ago
Victor Julien 3203555708 http-client-body: create unittest util func 10 years ago
Eric Leblond d837562441 logging: fix modules ordering during logging 
With the previous code the order of the logging modules in the
YAML were determining which module was run first. This was not
wished and a consequences was that the EVE fileinfo module was
not correctly displaying the key 'stored' because it was
depending on a flag set alter by the filestore module.

This patch adds a priority file to the TmModule structure. The
higher the priority is set, the sooner the module is run in the
logging process. The RunModeOutput structure has also been
updated to contain the name of the original TmModule. Thus allowing
to define a priority for a RunModeOutput.

Currently only the filestore has a priority set. The rest of them is
set to the default value of zero.
 10 years ago
Eric Leblond be07620a60 output-lua: sync variable name with yaml 
'script-dir' was used in the code but we had 'scripts-dir' in the
configuration file. This patch fixes it to 'scripts-dir'.
 10 years ago
Jason Ish ae23144b67 --set - handle spaces on either side of '=' 
Discard spaces when provided as part of --set around the '='. For
example, "val=key", "val = key", "val= key" and "val =key" are
all equivalent now.
 10 years ago
Jason Ish d9fe95bc8a conf - function declaration style 
Use consistent style - function return type and declaration on
same line.
 10 years ago
DIALLO David 0a4fd39f9c modbus: fix heap-buffer-overflow in Modbus parser 
Modbus parser does not check length to extract/read data (read or write address,
quantity of data, etc.) that should be present.

In case of malformated data (invalid length in header), Modbus parser reads data
over the input data length.

Add check before extracting/reading data from input buffer to avoid head buffer
overflow.
 10 years ago
Victor Julien 07efec550d counters: use ptr to name instead of copy 
All counters have hardcoded names, so copies are not needed.
 10 years ago
Victor Julien 7e66c70507 counters: don't run if no counters have been registered 10 years ago
Victor Julien cb5aa8f8d5 counters: work around unix-socket init issues 10 years ago
Victor Julien e48153c6b0 counters: make threads cleanup all memory 10 years ago
Victor Julien 81548ae3e8 counters: clean up global context 10 years ago
Victor Julien 84b8829cb4 counters: turn flow.memuse into a global counter 10 years ago
Victor Julien 0a262acdfb counters: make DNS counters globals 10 years ago
Victor Julien ac069c579a counters: make tcp.memuse a global counter 10 years ago
Victor Julien cddbb0f606 http: make http.memuse a global counter 
http.memcap as well.
 10 years ago
Victor Julien f05d0692ef counters: remove references to 'perf' counters 10 years ago
Victor Julien faef92f8da counters: remove last and now unused tm_name reference 10 years ago
Victor Julien 83f27ae2a5 counters: remove old unix socket json logic 10 years ago
Victor Julien 41ead6611a counters: minor internal API cleanups 10 years ago
Victor Julien d2a9ef2680 counters: rename unparsable SCPCAElem to StatsLocalCounter 10 years ago
Victor Julien 4c3ccda72e counters: minor header cleanup 10 years ago
Victor Julien 752f03e7a4 counters: remaining s/SCPerf/Stats/g 10 years ago
Victor Julien 4362d0a6e9 counters: s/SCPerfPrivateContext/StatsPrivateThreadContext/g 10 years ago
Victor Julien 628c3b1bc7 counters: s/SCPerfPublicContext/StatsPublicThreadContext/g 10 years ago
Victor Julien 7e70f136ec counters: various renames and cleanups 10 years ago
Victor Julien 30cce2bd29 counters: s/SCPerfCounterSetUI64/StatsSetUI64/g 10 years ago
Victor Julien 1c0b4ee0ae counters: s/SCPerfCounterIncr/StatsIncr/g 10 years ago
Victor Julien 8992275b0c counters: s/SCPerfCounterAddUI64/StatsAddUI64/g 10 years ago
Victor Julien 60d9eb6790 counters: clean up defines 10 years ago
Victor Julien 1ef786e7cb counters: rename register API calls 
Also remove 'type' parameter which was always the same.
 10 years ago
Victor Julien 3fab736539 log-stats: make global/threads logging configurable 10 years ago
Victor Julien 2c9a2c8327 stats: support per thread stats in json output 
Default is only to output totals. Optionally per thread can be added.

Both can be enabled together.
 10 years ago
Victor Julien 175831331c stats json: replace strndup 
strndup is a banned function.
 10 years ago
Victor Julien 6565c86f96 stats-json: fixes and improvements 
Use proper LogFileCtx and MemBuffer handling so we can have multiple
loggers active at the same time.

Change 'date' field to timestamp, and use ISO notation to make it
the same as the other JSON outputs.
 10 years ago
Tom DeCanio e4e07d0c3b eve-log: stats logging code cleanup. 10 years ago
Tom DeCanio 117eed0385 eve-log: add JSON stats logging 
Support for counters in stats.log in eve output JSON stream.
 10 years ago
Victor Julien 23f17950bc counters: pass per thread stats to output api 
As well as the global (merged) stats.
 10 years ago
Victor Julien de82b6d31e counters: rename widely used pctmi var to sts (stats thread store) 10 years ago
Victor Julien 60c5ad4649 counters: call global counters funcs 10 years ago
Victor Julien 33756abd87 counters: split API init 
Split into early ctx initialization and post-config setup.
 10 years ago
Victor Julien d05eed3735 counters: start using Stats prefix 10 years ago
Victor Julien f300ad253e counters: simplify and speedup counters sync 10 years ago
Victor Julien 0478407833 counters: remove threadvars arg from SCPerfAddToClubbedTMTable 10 years ago
Victor Julien 2346a88db7 counters: remove thread module name from counters API 10 years ago
Victor Julien b5bd3dee13 stream: make tcp.reassembly_memuse counter global 
Fixes bugs #632 and #1178
 10 years ago
Victor Julien 06461e37da counters: global counters registration 10 years ago
Victor Julien 9bbef55c4d Fix harmless typo in IPOnlyCIDRItemNew's SCReturnPtr use 10 years ago
Victor Julien b293a4b7d0 counters: remove unused description 10 years ago
Victor Julien 711cd7b59b counters: merge counters from threads for output 
Merge counters so the table contains combined values from counters
from each thread.

Use global counter id's, track them in a hash.

Rename SCPCAElem members

Fix and improve average counters
 10 years ago
Victor Julien 7da657dc3d counters: remove unused public API calls and make them private 10 years ago
Victor Julien ac6e24c06a counters: make SCPerfSetupPrivate a function 10 years ago
Victor Julien 66635f0741 counters: minor cleanups 10 years ago
Victor Julien 74ab84c194 counters: introduce SCPerfSetupPrivate for thread setup 10 years ago
Victor Julien 799640f906 counters: make threadvars::perf_private_ctx static 
Update SCPerfGetAllCountersArray and add a UT workaround.
 10 years ago
Victor Julien 55cfab89e4 counters: SCPerfGetLocalCounterValue cleanup 
Return u64, update arguments.
 10 years ago
Victor Julien b34c6dc93a counters: remove references to SCPerfCounterAddDouble 
They were all in comments anyway.
 10 years ago
Victor Julien e9b067c1eb counters: make increment call take threadvars 
This hides the implementation from the caller.
 10 years ago
Victor Julien 9a8bff7d96 counters: threadvars s/sc_perf_pca/perf_private_ctx/g 10 years ago
Victor Julien 50bb995458 counters: rename threadvars public counters 10 years ago
Victor Julien 6ffbc3a362 counters: s/SCPerfContext/SCPerfPublicContext/g 10 years ago
Victor Julien 0a5ae1b403 counters: s/SCPerfCounterArray/SCPerfPrivateContext/g 
Goal is to make it's purpose clear.
 10 years ago
Victor Julien 9f584483be counters: minor cleanups 10 years ago
Victor Julien 1e8142c699 logfile: rename ALERT_ types to LOGFILE_TYPE_ 10 years ago
Eric Leblond 4c6a7bea30 output-json: suppress global variable 
It uses the new type field in the LogFileCtx instead.

This fixes the problem of not being able to use two eve-json
instance with different logging methods.
 10 years ago
Eric Leblond 636e3d93c0 log file: add type flag 
It will be used to store if the file is syslog or a real file.
 10 years ago
Eric Leblond 39d667ff56 output-json: fix type of data parameter 
The cast of data to AlertJsonThread was not correct as the real
type of the void pointer is a OutputJsonCtx. This was working by
luck because they both have a file_ctx as first element.
 10 years ago
Alexander Gozman f11e237d77 Feature #1440: support wildcards in rule filenames 10 years ago
David Cannings 4f8f53d080 Fix rcode parsing, as noticed by Coverity. 
Without support for OPT RR from RFC6891 (Extension mechanisms for DNS)
values of RCODE above 15 are not possible.  Remove dead code which will
never match.
 10 years ago
Jason Ish 9fdae82815 conf - process includes even if not at root node. 10 years ago
Jason Ish 56f6e37304 radix-tree - prevent out of bounds array access 
An IPv6 entry specified before an IPv4 entry on the host-os-policy
table can cause the stream byte array to be access one byte after
the end of the allocated memory at util-radix-tree.c:578.
 10 years ago
Jason Ish 3e5b8f48b1 Bug 1281 - Add tests for rule content of lengths > 255. 10 years ago
Jason Ish e2b04635a7 Bug 1281 - Accept rule content with lengths greater than 255. 10 years ago
Victor Julien 0e22e95e47 alert-json: fix stream logging for IPS mode 
Switch direction in IPS mode.
 10 years ago
Victor Julien 5037ea93f3 threads: add untimed control cond call 
The control conditions so far could only do timed waits, not normal
waits.
 10 years ago
Victor Julien c7bc9ae6a8 detect: minor cleanups 10 years ago
Victor Julien bc2b53f10b parsing: s/strtok/strtok_r/g 
Remove all strtok uses and replace them by strtok_r.

Do the same for Windows builds. Cygwin builds fine with strtok_r.

Add strtok to banned function list.
 10 years ago
Victor Julien fb479902e4 threading: explain purpose of threadvars mucond 10 years ago
Victor Julien 478719ee9d flow: don't hold tv_root_lock longer than needed 
Don't hold it longer than needed in shutting down.
 10 years ago
Victor Julien c96805e839 threading: remove unused cmd thread create func 10 years ago
Victor Julien df5e9d44ca unix-manager: convert to thread module 
Sync command thread for unix manager with other managers and make
it a full thread module.
 10 years ago
Victor Julien cc01b5f6b6 reference/classification: call global init for unittests 10 years ago
Victor Julien 34f2ff067b reference: update pcre globals use 
Don't update globals each time we parse, but instead do it once at
startup.
 10 years ago
Victor Julien 46d401e3bb classification: update pcre globals use 
Don't update globals each time we parse, but instead do it once at
startup.
 10 years ago
Victor Julien b2da57c827 reference: remove global 10 years ago
Victor Julien 393689ce44 classification: remove global from parsing 
Parsing code used a 'fd' global. Remove this.
 10 years ago
Victor Julien 9764a35604 stream: fix --disable-detection reassembly issue 
Due to an error at initialization, the stream engine would not disable
'raw' reassembly automatically when --disable-detection was used.

This lead to segments not getting cleared from the segment lists.
 10 years ago
Victor Julien c1558f5ac4 stream: remove FLOW_NO_APPLAYER_INSPECTION flag 
Instead, intruduce StreamTcpDisableAppLayer to disable app layer
tracking and reassembly. StreamTcpAppLayerIsDisabled can be used
to check it.

Replace all uses of FlowSetSessionNoApplayerInspectionFlag and
the FLOW_NO_APPLAYER_INSPECTION.
 10 years ago
Victor Julien b6798495c5 stream: remove FLOW_NO_APPLAYER_INSPECTION use from tests 10 years ago
Victor Julien b2e1854e2a stream: improve 'no app layer' handling 
When the session/flow was flagged as 'no applayer inspect', which
could happen as a result various reasons, packets would still be
considered by the app layer reassembly.

When ACK'd, they would be removed again. Depending also on the raw
reassembly.

In very long sessions however, this meganism could fail leading to
virtually endlessly growing segment lists.

This patch makes sure that segments that come in on a 'no app layer'
session are tagged properly or even not added at all.

Use a new ssn flag instead of flow flag for no app tracking.
 10 years ago
Victor Julien 22a810813c app-layer: add DisableAppLayer 
Move various app layer related flag setting calls into a utility
function "DisableAppLayer"
 10 years ago
Victor Julien f536099a67 app-layer: de_state optimization 
Add API to bypass expensive TX list walks. This API call is optional.

Implement it for HTTP and DNS.
 10 years ago
Victor Julien 5f0678120d detect-state: update test to check state storing 10 years ago
Victor Julien 37f0bd57b6 detect-state: handle duplicate inspect/match 
If for a packet we have a TX N that has detect state and a TX N+1 that
has no detect state, but does have 'progress', we have a corner case
in stateful detection.

ContinueDetection inspects TX N, but cannot flag the rule in the
de_state_sig_array as the next (TX N+1) has already started and needs
to be inspected. 'StartDetection' however, is then unaware of the fact
that ContinueDetection already inspected the rule. It uses the per
session 'inspect_id' that is only moved forward at the end of the
detection run.

This patch adds a workaround. It uses the DetectEngineThreadCtx::
de_state_sig_array to store an offset between the 'base' inspect_id
and the inspect_id that StartDetection should use. The data type is
limited, so if the offset would be too big, a search based fall back
is implemented as well.
 10 years ago
Victor Julien bc6e4140be detect: add de_state duplication check 
Add test to check if no duplicate destate is created.

Only enabled with DEBUG_VALIDATION.
 10 years ago
Victor Julien 9d198e6662 detect-state: fix state storing 
Fix storing state and bypassing detection. Previously we'd store
on a match only, meaning that StartDetection would rerun often.

Make sure StartDetection only stores if there is something to store.
 10 years ago
Victor Julien 359e2d68f5 detect-http-header: improve buffer handling 
Previously we could never be calling DetectEngineHHDGetBufferForTX
for TX N and then afterwards for TX N - 1. Due to changes in the
stateful detection code this is now possible.

This patch changes the buffer logic to take the 'inspect_id' as it's
base, instead of the first transaction that we are called with.
 10 years ago
Victor Julien 62e937672d detect-events: set SIG_MASK_REQUIRE_*_STATE for events 
Set SIG_MASK_REQUIRE_*_STATE for event rules to earlier discard
them.
 10 years ago
Victor Julien 8d0b090150 engine-analysis: print fast_pattern summary 
When using engine analysis for print fast_pattern stats, print a
short summary at the end containing per buffer:
- smallest fp
- biggest fp
- number of patterns
- avg fp len
 10 years ago
Victor Julien 21f9328989 lua: fix error handling 10 years ago
Victor Julien 52195a4192 http: add event for leading spaces on request line 
Libhtp will issue a warning in this case, so we can match on this.
This patch adds event, rule and unittest.
 10 years ago
Victor Julien 2f85308afe threads: fix missing unlock in error handling 
If TmThreadsUnregisterThread was called with out of range 'id', a lock
would not be cleared after returning from the function.

** CID 1264421:  Missing unlock  (LOCK)
/src/tm-threads.c: 2186 in TmThreadsUnregisterThread()
 10 years ago
Eric Leblond 0303245761 af-packet: use max packet size as snaplen 
If default_packet_size is set to 0, then we use the maximum packet
size as snaplen.
 10 years ago
Eric Leblond 43f691fef8 util-device: fix LiveBuildDeviceListCustom 
The code was assuming that the dictionnary containing the parameter
of a interface was ordered. But for YAML, the order is not assumed
so in case the configuration is generated we may not be able to
parse correctly the configuration file.

By iterating on child on main node and then iterating on subchild
and doing a match on the name, we are able to find the interface
list. In term of code, this algorithm was obtained by simply
removing the test on the name of the first child.
 10 years ago
Eric Leblond 268285c49f output-json-http: output status as an integer 
HTTP status is an integer and it should be written as such in the
JSON events. This will allow to have improved matching in log
analysis tools.
 10 years ago
Eric Leblond 58582df1c6 decode-der: decode DC keyword 
'DC' is used by some certificates and it was not currently translated
to a string.
 10 years ago
Giuseppe Longo 26ba647d58 filedata: read inspected tracker settings from suricata.yaml 10 years ago
Giuseppe Longo 4b5848616f filedata: implement inspected tracker 10 years ago
Giuseppe Longo 1f52410d0f UT: implement tests for inspection code 10 years ago
Giuseppe Longo d2657becc9 app-layer-smtp: make functions as public 10 years ago
Giuseppe Longo 84dc73d9de mpm: implement prefiltering for smtp 10 years ago
Giuseppe Longo f0c54d4764 Detect engine for smtp file_data file_data: inspecting smtp attachments 
Create a buffer to store reassembled file chunks,
and inspect the content.
 10 years ago
Giuseppe Longo b9468aba7c FileData: add stream_offset field 
This is required to store the offset for reassembling chunks.
 10 years ago
Giuseppe Longo 68cf3dd621 file_data: register keyword for smtp and tcp protocol 
Permits to use file_data keyword with smtp or tcp proto.
Also adds some unit tests
 10 years ago
Giuseppe Longo 04561f13d3 signature: set flags and test the protocol 
This checks if the signature's protocol is http
when setup the content keyword.

Also sets the proper flags based by protocol
since the flag SIG_FLAG_TOSERVER has to be set
if the proto is smtp, otherwise SIG_FLAG_TOCLIENT
is it's http.
 10 years ago
Giuseppe Longo 41a1a9f4af find and replace HSBDMATCH by FILEDATA 
This commit do a find and replace of the following:

- DETECT_SM_LIST_HSBDMATCH by DETECT_SM_LIST_FILEDATA
  sed -i 's/DETECT_SM_LIST_HSBDMATCH/DETECT_SM_LIST_FILEDATA/g' src/*

- HSBD by FILEDATA:
  sed -i 's/HSBDMATCH/FILEDATA/g' src/*
 10 years ago
Ken Steele eac83be121 Formatting cleanup in detect-replace.c 
Wrap lines longer than 80 characters
Add "static" for unit tests.
Use (void) for () for function arguments.
Add space after "while(" -> "while ("
Remove space after function names.
Put open bracket of function on a new line.
 10 years ago
Ken Steele ddec92676d Add a comment for DetectReplaceList 
Reworded a quote in PR 742 by Regit from Inliniac to explain why adding
the head of the list (really a FIFO) is the correct behavior.
 10 years ago
Ken Steele cf9da2be15 Fix DetectReplaceAddToList 
I see two problems:
1) If allocating a newlist fails, the function returns NULL, which then
   leaks any existing list elements.
2) The code to add the new value to the list works for the first two, but
   for not the third. For example, replist=A, A->next=B, B->next=NULL, then
   adding C results in replist=A, A->next=C, C->next=NULL, B is lost.

The fix pushes new values onto the head of the list, which might not be
what is needed, but there are no comments on what the function does, so I
made an assumption.
 10 years ago
Alexander Gozman d44eab82c1 Fix bug #1435 (data loss when dumping payloads to JSON) 10 years ago
Zachary Rasmor f0c659f82f Fix Bug #1204 
Fix typo that causes eve syslog settings code to be unreachable.
 10 years ago
Victor Julien 208d27abc7 stream: next_seq handling improvements 
Allow next_seq updating to recover from cases where last_ack has been
moved beyond it. This can happen if ACK's have been accepted for missing
data that is later retransmitted.

This undoes some of the previous last_ack update changes
 10 years ago
Alexander Gozman b12c53cd51 Add timezone to timestamp in JSON logs 10 years ago
David Cannings 2918a75da1 Added support for full parsing of the rcode header in DNS answer 
packets. Where rcode isn't "no error" this is displayed in both DNS and
JSON logs.

Note that this changes the current "No such domain" to "NXDOMAIN" in DNS
logs. This could be fixed if desired to maintain compatibility with
anybody crazy enough to parse the DNS log.

When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it
is unlikely that there will be answer RRs. Therefore the rname from the
query is used.

Because the rcode applies to a whole answer packet (not individual
queries) it is impossible to determine which query RR caused the error.
Because of this most DNS servers currently reject multiple queries per
packet. Therefore each query RR is output instead with the relevant
error code, likely to be FORMERR if queries > 1.
 10 years ago
Victor Julien cf839c931f tls: force 'raw' reassembly after each record 
Trigger raw reassembly after each record and after the handshake.
 10 years ago
DIALLO David 04f3f5066d app-layer-modbus: fix deadlock in parsers 10 years ago
Victor Julien 6d170cadd7 smtp: fix mime boundary parsing issue 
If a boundary was longer than 254 bytes a stack overflow would result
in mime decoding.

Ticket #1449

Reported-by: Kostya Kortchinsky of the Google Security Team
 10 years ago
Victor Julien a4a1c396e1 pcap-file: fix malformed timestamp crash 
A bad timestamp would lead to SCLocalTime returning NULL. This case
wasn't checked, leading to a NULL deref.

Reported-by: Kostya Kortchinsky of the Google Security Team
 10 years ago
Pierre Chifflier fa73a0bb8f Fix possible wrap in uint32_t addition in DER parser 
Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
 10 years ago
Victor Julien a2d0441380 Bug 1340: fix missing flow cleanup 
Fix missing flow output cleanup function leading to a crash in the
unix socket mode.
 10 years ago
Victor Julien 04ccfda639 pcap: implement LINKTYPE_NULL 
Implement LINKTYPE_NULL for pcap live and pcap file.

From: http://www.tcpdump.org/linktypes.html

"BSD loopback encapsulation; the link layer header is a 4-byte field,
 in host byte order, containing a PF_ value from socket.h for the
 network-layer protocol of the packet.

 Note that ``host byte order'' is the byte order of the machine on
 which the packets are captured, and the PF_ values are for the OS
 of the machine on which the packets are captured; if a live capture
 is being done, ``host byte order'' is the byte order of the machine
 capturing the packets, and the PF_ values are those of the OS of
 the machine capturing the packets, but if a ``savefile'' is being
 read, the byte order and PF_ values are not necessarily those of
 the machine reading the capture file."

Feature ticket #1445
 10 years ago
Tom DeCanio 97a2d1ac26 fix reputation parser so that it accepts ipv6 addresses in configuration file. 10 years ago
Jason Ish 11d6770ae4 afl - SCHINfoLoadFromConfig - check for NULL before parsing. 
Found by AFL on suricata.yaml.
 10 years ago
Jason Ish 75d21851cf afl - Don't fail if app-layer proto enabled value is NULL. 
Found by using AFL on suricata.yaml.
 10 years ago
Eric Leblond 0376b60da9 email-json: free temporary 'cc' string 10 years ago
Eric Leblond bd67000b69 email-json: free temporary 'to' string 10 years ago
Eric Leblond 7b8184947a app-layer-smtp: fix SMTPTransactionFree function 
A typo was causing some freeing tasks not to be executed.
 10 years ago
Victor Julien 91ddf85323 profiling: fix sorting on very long runs 
Fix poor int handling breaking sorts of profiling on long runs
where the numbers could get really big.
 10 years ago
Victor Julien 1a83fee5f5 xbits: fix coverity warnings 
Switch statement would contain NOALERT even though this was
unreachable.
 10 years ago
Victor Julien 54d5e2eed5 coverity fix: don't do pointer check on static array 10 years ago
Victor Julien b9aaf5a9ab Fix potential deadlock in output 
Coverity:
** CID 1296115:  Program hangs  (ORDER_REVERSAL)
/src/tm-threads.c: 1670 in TmThreadClearThreadsFamily()

The problem is with the by default unused '%m' output parameter.
To get the thread vars it takes the tv_root_lock. This may already
be locked by the calling thread. Also, it could lead to a case of
wrong lock order between the tv_root_lock and the thread_store_lock.

Very unlikely to happen though.

As the %m param isn't really used (by default) this patch just
disables it.
 10 years ago
Victor Julien 94321b8a2f packet pool: fix memleaks 
Don't kill flow manager and recyclers before the rest of the threads. The
packet threads may still have packets from their pools. As the flow threads
would destroy their pools the packets would be lost.

This patch doesn't kill the threads, it just pulls them out of their run
loop and into a wait loop. The packet pools won't be cleared until all
threads are killed.

Wait for flow management threads to close before moving on to the
next steps in the shutdown process.

Don't destroy flow force reassembly packet pool too early. Worker
threads may still want to return packets to it.
 10 years ago